Wednesday, October 10, 2012

Attribution - Team Cyberthack and The Game of Facebook Phishing Attack - Tracking Back

This Facebook case study is an interesting one and based on the ongoing Facebook phishing attack leading to malware. Interestingly, the attack seems to be launched by the Indonesian and Spanish hackers considering the languages used in the deployed code. Our team came across a Facebook phishing email embedded with a video and other malicious links. Every single URL pointed to a same domain. The Facebook message embedded in the email carried a notification message that says something as follows:

""Miiiii lindoooo! Ahahahaha this videoo muestrezzz not what to nadiesss = $ $ $ $ ZIII? Tiii is for! Because? Yoooo muxiiiisisisisizimoooo amoooo you! Muxo like me will I require your videooo montonezzzz!! porfiz when estez at ............ "Read more This video was ranked No one under 18." 

The original message is presented below:

"Miiiii lindoooo!!! ahahahaha este videoo no se lo muestrezzz a nadiesss =$$$$ ziii ?? es solo para tiii!! porque ? yoooo te amoooo muxiiiisisisisizimoooo!!! me gusto muxo tu videooo te requiero montonezzzz!!!! porfiz cuando estez en. ..... . ....." Leer mas

Este video fue clasificado Prohibido para menores de 18 a├▒os .

The phishing email was structured like as shown below:


Before looking into the kind of malware served by this phishing attack, let's dissect the other relevant information gathered from this malicious domain. The facts are discussed as follows:

1. The domain was compromised by the Cyberthack Team.


2. On analyzing further, we got an information that was embedded somewhere in the web pages about the profile of a user. We cannot say this profile is legitimate or fake at this point of time but, it is worthwhile to look into this. The profile is presented below:


3. Some of the JavaScripts that are used in this malware domain are taken from the - http://cirebon-cyber4rt.blogspot.com/. Guys, tt is always good to remove the comments when you are doing this kind of job.

4. Again, a configuration flaw in the web server running on this malicious domain allowed us to access the
a custom statistics page that pointed out the visitors visiting that link. It is shown below:

The language used in this page is Spanish. It is easy to decipher the number of visitors that visited this page

5. The malicious link downloaded facebook.exe executable on the victim machine. Some of the facts
    are listed below:
5.1 The malicious program is written in Visual Basic.
5.2 No packer is used to pack the critical sections. No code obfuscation is used.
5.3 The malicious program used a reference to TortoiseBlame -http://tortoisesvn.tigris.org/blame.html
      It seems like the malware tries to look legitimate.
5.4 The malware executes silently in the system and on successful installation, opens facebook.com web 
      page.
5.5 The malware creates wincal.exe in the %systemroot% folder and uses registry to load it. It is again a 
      Visual Basic file. 


Stay secure. 

Note: This attack is still active.